Analysis and opinion by Christopher Soghoian, security and privacy researcher.

Wednesday, January 12, 2011

Microsoft: Competing on privacy?

Last week, Dean Hachamovitch, the Corporate VP at Microsoft in charge of Internet Explorer was interviewed on stage at the Consumer Electronics Show (CES) in Vegas. He was there to discuss the next version of the company's browser, and spent most of his time talking about his firm's commitment to privacy. Clearly not a fan of subtlety, Hachamovitch wore a t-shirt with the word "private" printed on it in large letters (the IE logo took the place of the letter e).

A few years ago, advertising executives within Microsoft puled rank and forced the IE team to sabotage an otherwise pretty cool anti-tracking feature in IE8. After the company was rightfully savaged by the Wall Street Journal earlier this summer when it exposed the tale, Microsoft has now decided to offer a far more effective anti-tracking tool in IE9.

As I explained at length in a blog post last month, Microsoft has decided to try to compete on privacy, likely because it is an area which one of its main competitors (Google) is rather weak. During his interview at CES, Hachamovitch himself was quite happy to take potshots at Google, and the fact that the firm's advertising business is dependent upon facilitating, not stopping tracking of users.

A: Paying Windows customers want a great experience that includes privacy, including through their browser. But another way to view people who use browsers is that they’re objects to be boxed and sold. We don’t believe that. We believe Windows customers should have a great experience with their browser.

Q: As opposed to?

A: Well, Chrome, for instance, is funded by advertising.

While I of course believe that Microsoft's new found religion on privacy is motivated by a desire to compete against Google, I see no reason to think that its commitment to "privacy" is anything but genuine. The problem lies with Microsoft's definition of privacy.

When Microsoft talks about the ways that it is innovating and shipping technologies designed to protect its users privacy, it is talking about online tracking, not law enforcement and intelligence agencies that regularly request and obtain private user data. However, as proven by the NSA warrantless wiretapping scandal, and the FBI's repeated abuse of its own surveillance powers, the threat to user privacy from the government is very real. Likewise, as Twitter demonstrated through its bold actions in fighting to have a court order for wikileaks related data unsealed last week, companies can play a vital role, if they choose to do so, in protecting users.

The problem is that Microsoft, like so many firms, has a very narrow definition of privacy. To quote from my latest law journal article:

With few exceptions, the companies to whom millions of consumers entrust their private communications are committed to assist in the collection and disclosure of that data to law enforcement and intelligence agencies – all while simultaneously promising to protect their customers’ privacy.

When these firms speak about their commitment to protecting their customers’ privacy, what they really mean is that they will protect their customers’ data from improper access or use by commercial entities. The fact that these firms have a limited definition of privacy is not made clear to consumers, who may mistakenly believe that the companies to whom they entrust their data are committed to protecting their privacy from all threats, and not just those from the private sector.

It would be bad enough if Microsoft were just ignoring privacy threats from the government, but as I will now explain, the company has repeatedly gone out of its way to assist law enforcement and intelligence agencies in their effort to investigate users. It has put the interests of the government over the privacy of its regular customers.

How Microsoft sacrifices user privacy in order to assist the government

When asked in 2007 by the New York Times if the company was considering a policy to log no search data at all, Peter Cullen, Microsoft’s chief privacy strategist argued that too much privacy was actually dangerous. "Anonymized search," he said, "can become a haven for child predators. We want to make sure users have control and choices, but at the same time, we want to provide a security balance."

Similarly, the company proactively appends the IP address of each Hotmail user's personal computer in the headers of every outbound email. This is not required by any technical standard, and is a purely voluntary act on Microsoft's part. As far as I am aware, Microsoft and Yahoo are the only two major email providers that do this, and the end result is that law enforcement agencies can determine the IP address of the user who sent any Hotmail originated email and thus go directly to the user's ISP to determine their identity, without having to go to the trouble of contacting Microsoft first.

Microsoft has also developed computer forensics software which it freely distributes to government agencies, allowing them to easily extract private data from seized Windows computers. As the company states on the webpage for the COFEE forensics tool, "If it's vital to government, it's mission critical to Microsoft."

Finally, the most frustrating thing for me personally, is Microsoft's position on disk encryption. Microsoft considers BitLocker disk encryption a "premium" feature, and restricts it to only those consumers who buy the Ultimate version of Windows 7. For consumers using the copy of Windows 7 Home Premium that came with the new PC they bought at Staples, the cost of the Ultimate upgrade is $139.95.

In contrast, Google has opted to ship disk encryption enabled by default on its new Chrome OS platform, and both Apple and Ubuntu Linux both include encryption with their systems by default (to be enabled with a single checkbox during or after installation).

The end result of Microsoft's decision is that few regular consumers use BitLocker, and instead, those who do wish to use some form of disk encryption generally seek out third party software, like TrueCrypt.

I would be extremely surprised if Microsoft has extracted much additional profit through this decision. So much so that I suspect that money is not the reason for doing this. Instead, I suspect (and have heard rumors from insiders at Microsoft suggesting so) that it is an intentional move designed to limit the widespread adoption of encryption by regular users.

The man who either made this product decision, or played a significant role in influencing it is Scott Charney, Microsoft's Corporate VP in charge of Trustworthy Computing. Before coming to Microsoft, Charney was a prosecutor in the Department of Justice and served as Chief of the Computer Crime and Intellectual Property Section (CCIPS).

Easy to enable (or worse, deployed by default) disk encryption would seriously frustrate the investigative abilities of the law enforcement community, including many of his former colleagues.

What this means

Based on its current actions, it is clear that Microsoft is not interested in protecting its users from government intrusions into their privacy. Yes, the company has played a significant role in the Digital Due Process coalition, and executives have testified multiple times before Congress in the last year supporting the reform of the Electronic Communications Privacy Act (these actions on Microsoft's part are not entirely altruistic. Updating electronic privacy law would give consumers and businesses more of a reason to entrust their private data to Microsoft's cloud services). However, such reforms (while an improvement) will only require that a judge approve the disclosure of data held in the cloud. If a judge says OK, the data will still be handed over.

As a software and technology company, Microsoft is in a fantastic position to actually offer solid protection to end users and embrace privacy by design. It can make use of limited (or zero) data retention periods, use encryption wherever possible, by default, to make sure that seized data is useless to anyone but its owner, and instead of building forensics software to extract data from Windows computers, the company should be hardening Windows so that all forensics software tools are unable to extract anything of value.

The problem for Microsoft (and so many other large companies), is that pissing off national and state governments isn't good for business, particular when they are some of your largest customers. Furthermore, for a firm that is so actively engaged in Washington DC, any moves that seriously frustrate law enforcement interests would likely consume political capital that could otherwise be used lobbying for things that will actually improve the company's profits.

As such, I don't seriously expect Microsoft to fully embrace privacy, or to deploy any technology that will seriously frustrate law enforcement agencies. I'm not going to waste my time trying to argue that the company should do this. What I will argue though, is that the company should not be permitted to loudly advertise its commitment to privacy, when it is clearly not the case. The company's claims, quite simply, are false and deceptive. At the very least, the company should have to clarify its definition of privacy, and acknowledge, prominently, that it has opted to not protect users from government threats.

This is where the FTC (or other countries' consumer protection agencies) can and should play a role, if they wished. While companies have no obligation to protect their customers from government surveillance, they are at least obligated to make truthful statements when describing their products, particularly when the firms proudly advertise privacy as a major feature.

3 comments:

Anonymous
said...

To be fair, many communications companies do advise that they may disclose data and assist law enforcement where required to do so by law. Many companies also actively press for legal provisions to regulate the investigatory powers of agencies regards access to communications and subscriber data - they just dint make a song and dance about it

Microsoft used to be the king of spyware, but in my opinion, that crown was taken away by Google.

Both companies are the worst for spying on customers. What makes Google king in my opinion, is the fact that their whole business is based off spyware, and they have openly stated they save that information forever. I don't ever recall hearing Microsoft say they save their info forever.

Even the CEO of Google thinks this is ok, becuase he has the incredibly stupid opinion of, what have you got to hide.

I would not trust a Chrome operating system at all. You can pretty well bet its embedded spyware. Judging by the companies whole history. It probably reports everything back to Google.

Christopher Soghoian, Ph.D. is a Washington, DC based privacy and security researcher. He is the Principal Technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union.